I’ve been busy the past bit manipulating my QA environment to better match the production environment. One of the things I’ve needed to do was pull a list of Active Directory (AD) groups from certain Organizational Units (OUs) and put them into a CSV file where I can then use it to do things like change the email domain, descriptions, etc.

The command you need is as follows, note you need to run this from a machine with the Active Directory PowerShell module installed on it.

$filename = ".\ExportedGroups.csv"
Get-ADGroup -Filter '*' | select-object * | where-object {$_.distinguishedname -like "*,OU=Container,*"} |Export-Csv -Path $filename

What the above script is doing using Get-ADGroup to grab the list of groups, selecting all the fields in the group, using a where-object to figure out which OU we want to use. The OU in this example is container but can be whatever you want or if you have OUs with the same name, then use more of the OU structure like “*,OU=Container,OU=Unique Parent Container,*”.

Finally we export the results to a file named ExportedGroups.csv which is located in the same file as the script.

One of my co-workers just came over and asked me what are the minimum amount of rights we need to let someone create SPNs (Service Principal Names)?

Good question. Off to TechNet I went looking for the answer. Typically to set SPNs you must be a member of Domain Admins or Enterprise Admins. Alternatively you can set permissions so delegated Admins can set SPNs. The wording from TechNet sounds like this:

If you need to allow delegated administrators to configure service principal names (SPNs), you must ensure that their user accounts have the Validated write to service principal name permission.

The full article can be found at http://technet.microsoft.com/en-us/library/cc731241(v=ws.10).aspx.